id,summary,reporter,owner,description,type,status,priority,milestone,component,version,severity,resolution,keywords,cc,focuses
24792,Post/Page protection password size limitation truncates passwords - is not documented,RayBernard,,"In 3.5.1 and 3.5.2 the post/page feature ""Visibility: password protected"" as documented in http://codex.wordpress.org/Using_Password_Protection truncates entered passwords at 20 characters. A longer password is accepted, and when truncated no notice is provided. Verified with NO PLUGINS activated in TwentyTwelve theme.
Steps to reproduce:
1. Edit a page (or post).
2. Edit the default ""Visibility: Public"" settings for a page or post.
3. Choose ""Password protected"" and enter ABCDEFGHIJKLMNOPQRSTUVWXYZ for the password, click OK, then Update (or Publish).
4. View the page, which now has ""Protected"" status, and enter the full password (A through Z). The page redisplays prompting again for password. This time enter just the first 20 characters (ABCDEFGHIJKLMNOPQRST). The password is accepted and the page displays.
5. Edit the page again, and edit the ""Visibility: Password protected"" setting. You will see the truncated password. Click in the Password entry box and press the down arrow key. You will find two entries: the truncated password and the original long password.
Go to the Codex documentation and view the Password Form Text section. You will see example code for adding a filter to replace the default password entry form with a custom form. The example password INPUT field contains 'size=""20""' -- but that is a display limitation not an input restriction, which would require using 'maxlength=""20""'.
MAXLENGTH
The maximum number of characters that will be accepted as input. This can be greater that specified by SIZE , in which case the field will scroll appropriately. The default is unlimited.
The following post on WordPress Answers states that the limitation is a database limitation. See http://wordpress.stackexchange.com/questions/55975/how-can-i-increase-the-character-limit-for-post-passwords.
There are hundreds of posts on the Web each year going back to 2008 stating that the post/page password protection feature was not working. I suspect that some of these were due to the 20-character truncation.
I reported this as a bug because it is a documentation defect. I did not wish to confuse things by requesting the capability to enter a longer password (new feature request?), or in any way detract from the importance of correcting the codex documentation to include this hidden limitation.
Here are two example documentation changes:
A. Insert a section titled ""Password Size Limitation"":
'''Password Size Limitation'''
Currently the password is limited to no more than 20 characters. Passwords longer than 20 characters will be truncated to 20 characters.
B. Correct the example code so that it actually limits the character input to 20 characters using maxlength. Such as:
{{{
function my_password_form() {
global $post;
$label = 'pwbox-'.( empty( $post->ID ) ? rand() : $post->ID );
$o = '